RSA LIVE January and February Content Announcement

The RSA Content team is pleased to announce the addition of new and updated content to the RSA Live Content Library.

Threat Detection Content

Novetta Research identified IOC IPs and Domains

Novetta recently released a research paper detailing background and specifics around the Sony Hack in November of last year, and identified a new and very active Threat Actor Group that they are calling “Lazarus Group”. Reference the website below for more details:

This research identified 45 distinct malware families, many Command and Control (C2) points and more.

RSA FirstWatch leveraging the Novetta research has incorporated the C2 indicators in RSA Live under the Third Party Indicator Feeds:

1. Third Party IOC IPs – Contains IPs published as malicious from third party research and publications

2. Third Party IOC Domain – Contains domains published as malicious from third party research and publications

Customers should subscribe to the above feeds. Once deployed, the following pivot can be used in Security Analytics to locate suspect traffic:

· threat.category = novetta

RSA FirstWatch will continue working on updating content to catch different attack vectors discussed in the Novetta Research paper. This content will be made available to customers through RSA Live when complete.

RSA Live Content Update to Detect Lateral Movement

Lateral movement is a part of the kill chain. After an attack has taken place, which allows entry into a company’s internal environment, lateral movement is the process of elevating credentials and gaining access to additional internal systems. This link describes a package of content that contains a set of rules to monitor Windows systems for lateral movement. RSA Link.

RSA Live Content Update to Detect Vulnerabilities

Content has been updated to detect the following vulnerabilities using Security Analytics:

· Cisco recently found vulnerabilities in the IKE (v1) and IKE (v2) code of Cisco ASA Software which could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. RSA Security Analytics Content Team has updated the relevant content to detect this vulnerability. Additional details on detecting this vulnerability using Security Analytics is provided on RSA Link.